New Poison Ivy Activity Targeting Myanmar, Asian Countries

The infamous Remote Access Trojan (RAT) Poison Ivy (hereafter referred to as PIVY) has resurfaced recently, and exhibits some new behaviors. PIVY has been observed targeting a number of Asian countries for various purposes over the past year. Palo Alto Networks’ Unit 42 recently blogged about a new Poison Ivy variant targeting Hong Kong activists dubbed SPIVY that uses DLL sideloading and operates quite differently from a variant recently observed by ASERT that has been active for at least the past 12 months.

Technical Details

The PIVY variant that ASERT has observed has exhibited some newer behavior that we have not seen discussed previously. The samples drop a decoy doc – usually hinting clearly at the target, a DLL named ActiveUpdate.dll and the PIVY shellcode file as Active.dat. The ActiveUpdate.dll and Active.dat files are created in a directory that follows the format ActiveUpdate_ [0-9]{3}. The executable copies rundll32.exe to ActiveFlash.exe and then executes the new file with the path to the DLL and installs itself for automatic startup via a .lnk in the Windows Startup folder. ESET identified these samples as “Win32/Korplug.I[F-I] variant“, possibly due to the appearance of the malware using DLL sideloading with rundll32 to load the dropped DLL and perform its malicious actions. This deployment tactic dates well into last year (and possibly before) using different executable names for the rundll32 copy and the base directory name, however this post will only cover a subset of the variant using “ActiveUpdate”.

Illustration of execution process of one PIVY Sample

The compile times on these binaries also closely correlate to the times they were first observed in-the-wild and some samples contained timestamp-like entities in the various campaign IDs fields in the malware configuration.

The decrypted configuration appears to be slightly modified in such a way as to confuse some publicly available tools that parse the configuration data. The campaign ID is not fully null-padded – there is now one null-byte and a string of repeating “x” characters that will cause confusion for some scripts. Additionally, the C2s are no longer null-padded – each hostname ends with a null-byte that is then followed by a string that will look something like “0.1127.0.0.1127.0.0.100000”. This string will change slightly with each Command & Control (C2) server – the portions that start with “1” will change to 2 for the second C2, 3 for the third, etc. These values end up being present elsewhere in memory without the extra items and only small tweaks are needed to fix the parsing.

The hostname webserver.servehttp[.]com is observed in a number of PIVY samples, some of which are covered in this post. Additionally, the IP resolved to by this hostname overlapped with fileshare.serveftp[.]com which was used in an earlier and seemingly unrelated PIVY sample.

Decoy Document and Targeting Information

A number of PIVY samples were observed to be targeting Myanmar and several other countries in Asia. While the exact targets and delivery methods are not known to ASERT at this time, the documents and submission sources provide strong hints as to the motivations and potential targets of these exploitation campaigns. The sample described in the previous section – a7d206791b1cdec616e9b18ae6fa1548ca96a321 – was observed to be targeting Myanmar in late November 2015. The compile timestamp on the sample was November 2, 2015, the apparent timestamp in the filename appears to be referencing a report that was released on November 25, 2015 and it was first seen late evening in the US on November 24, 2015 which would equate to November 25 in Myanmar. The document was dropped as “STEP Democracy Year 1 Acheivements_25112015.docx” and was also dropped by SHA1 724166261e9c2e7718be22b347671944a1e7fded with the name “Year1achievementsv2.docx“, but that sample uses a different communications password over the same set of C2s. The documents may be drafts of a final report released in December by the International Institute for Democracy and Electoral Assistance (IDEA), a part of the STEP Democracy initiative. The IDEA is “part of the European Union-funded project Support to Electoral Processes and Democracy (STEP Democracy)” whose goal is to support democracy worldwide. The IDEA has been working with Myanmar before and after their recent election to ensure “peaceful, transparent and credible elections.” Part of this work includes publishing reports and drafts such as those referenced above. In this case, the bait file document metadata contains a company name of “IDEA” with an author of “Sophia” – possibly referencing a current member of the organization and a last edited date of November 20, 2015. The content of the document details a debate around the democratic elections in Myanmar. This timeline would put the targeting past the elections that occurred in early November, but appears to still be focused on individuals interested in democracy inside of Myanmar. The targeting of the post-election Myanmar appears to be following the same style as what was mentioned in the “Uncovering the Seven Pointed Dagger” paper by ASERT. In this case however it appears that threat actors began using references to the STEP organization to continue their likely spearphish tactic by leveraging content relevant to post-election Myanmar. A possible connection exists given that the C2 for these samples – jackhex.md5c[.]com – resolved to an IP contained within 103.240.203.0/22 as did a 9002 RAT sample in the Seven Pointed Dagger exploitation campaign. A “LURK0” Gh0strat and another PIVY domain were also observed to have resolved to IPs contained within this range, making this subnet more suspicious from a targeted attack perspective.

Dropped document referencing Myanmar’s democratic process

A number of documents that appear to be economically focused were also observed recently and one of these samples also references Myanmar. This sample used a campaign ID of “mm20160405” and dropped a document named “Chairman’s Report of the 19th ASEAN Regional Forum Heads of Defence Universities, Colleges, Instiutions Meeting, Nay Pay Taw, Myanmar.doc” that references an Association of Southeast Asian Nations (ASEAN) meeting that took place in Myanmar in September of 2015. The timing of this sample is quite different from the earlier sample and seems to suggest at least a followup campaign due to the malware compilation timestamp of March 28, 2016, combined with an apparent timestamp value in the campaign ID of April 5, 2016 and the fact that the binary was first observed in the wild on April 11, 2016. The mutex specified in the configuration – 20150120 – is the same mutex used in the earlier sample that dropped a document referencing the STEP program, but this mutex is also used in many other PIVY samples that use the “ActiveUpdate” directory structure and is likely not useful for identifying the campaign or a relationship between samples outside of possibly sharing a similar version. The C2 used in this sample – admin.nslookupdns[.]com – resolved to an IP contained in the subnet 118.193.218.0/24. Similar to the previous sample discussed, ASERT has observed an overlap between many other malware families including Nitol, Gh0strat, and another PIVY sample that uses “ActiveUpdate“. This sample’s C2 domain is news.tibetgroupworks[.]com which provides an obvious suggestion at targeting dynamics, however no decoy documents were dropped and no further information was discovered to help support the targeting hypothesis.

Dropped document referencing ASEAN meeting in Myanmar

Continuing on with the theme of campaigns targeting ASEAN, sample 31756ccdbfe05d0a510d2dcf207fdef5287de285 drops a decoy document named “Robertus Subono-REGISTRATION_FORM_ASEAN_CMCoord2016.docx” that references an ASEAN Humanitarian Civil Military Coordination meeting that took place in Bangkok between March 28 and April 1 2016. The document purports to be a registration form for an attendee from Indonesia and is supposed to be sent to a Thailand Ministry of Defense email address. The sample has a compilation date of March 10, 2016, was first observed by ASERT on March 20, 2016 and also contains an invalid digital signature claiming to be signed by Google. Coupling the campaign ID of “modth” with the purpose and location of the meeting and the email address this form is supposed to be mailed to, a possible target of this sample could be Thailand’s Ministry of Defense. The C2s used by this sample overlap with the prior sample that references the ASEAN meeting in Myanmar nearly perfectly – the first C2 uses port 80, whereas the prior sample used 81 and they both use the same mutex and password. This overlap suggests a possible ongoing targeting towards ASEAN members and meetings that they hold.

The decoy document “2016.02.29-03.04 -ASEM Weekly.docx” dropped by ec646c57f9ac5e56230a17aeca6523a4532ff472 was also interesting in that it was not in English like the other two observed documents – Google Translate identifies the language in the document as Mongolian.

The decoy document 1.docx that is dropped by f389e1c970b2ca28112a30a8cfef1f3973fa82ea shows as corrupted when executed in a sandbox, but manual recovery yielded a document in Korean with a malware campaign ID of kk31. The document appears to reference Korean language schools abroad and the telephone number present yields an affiliation with the Korean Ministry of Foreign Affairs, but the intended target is unclear at this time.

Korean language decoy document dropped by

Sample f389e1c970b2ca28112a30a8cfef1f3973fa82ea dropped a decoy document named “Commission on Filipinos Overseas & Dubai.doc“, but this document did not render correctly in a malware sandbox or manually. VirusTotal revealed a sample from the Philippines which suggests that they, not Dubai / UAE, were the targets. The C2s for this sample used webserver.servehttp[.]com, also exhibited by many of the recent samples which suggests the same actor may be involved in this campaign activity.

Conclusion

As this post and other recent posts detail, PIVY continues to evolve and be used in a myriad of targeted exploitation campaigns – not unlike many other targeted malware families such as PlugX or the Dukes. This will certainly not be the last evolution of PIVY, and ASERT continues to monitor these threats as they are discovered. I would also like to say thank you to Curt Wilson of ASERT for his assistance with research covered in this post.

IOCS

Configuration elements and additional information for samples discussed in this article.

Subscribe to this blog

First Name*

Last Name*

Company*

Email*

Comments

This field is for validation purposes and should be left unchanged.

Asert

Arbor’s Security Engineering & Response Team (ASERT) delivers world-class network security research and analysis for the benefit of today’s enterprise and network operators. ASERT engineers and researchers are part of an elite group of institutions that are referred to as ‘super remediators’ and represent the best in information security. ASERT has both visibility and remediation capabilities at nearly every tier one operator and a majority of service provider networks globally.

ASERT shares operationally viable intelligence with hundreds of international Computer Emergency Response Teams (CERTs) and with thousands of network operators via in-band security content feeds. ASERT also operates the world’s largest distributed honeynet, actively monitoring Internet threats around the clock and around the globe.

Arbor Networks has collaborated with Jigsaw (formerly Google Ideas) to create a data visualization that shows how Distributed Denial of Service (DDoS) attacks have become a global problem. The data is updated daily from Arbor’s global network of sensors and can be viewed at www.digitalattackmap.com